Laurent on Dellus.com wrote:> > shorewall interface: > #ZONE INTERFACE BROADCAST OPTIONS > net ppp0 - norfc1918,routefilter,tcpflags > loc br0 detect tcpflags,dhcp > vpn tap+No! You *never* list bridged interfaces in the /etc/shorewall/interfaces file. Your interfaces file should be: net ppp0 - ... - br0 detect ... Your hosts file should be: loc br0:eth1 vpn br0:tap+ For the above to work, you need physdev match support in your kernel and iptables. For more information see http://shorewall.net/bridge.html. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi, I have a Linux firewall based on shorewall with 2 NIC and ADSL (ppp0). My ppp0 ip is fixed. The internal NIC, eth1, is bridged with tap0, tap1 and tap2 to form br0. br0 subnet is 192.168.2.0/24. The firewall is configured to masq internal traffic and block whatever needs to be blocked. It is also configured to tunnel openvpn v1.6. I have a roaming laptop running XP. I can create a tunnel but I can only ping the firewall. Pinging other computers on the subnet fails with: <ip of firewall> Destination Host Unreachable Because I can create a tunnel and ping the firewall I assume openvpn is OK but on the other hand since it''s a bridge configuration which doesn''t require routing I don''t understand why I can''t ping computers on the subnet. I suspect my firewall but I went over the openvpn howto and all seems fine. For the record I''m adding my openvpn and firewall configuration. openvpn.conf: local <ip of ppp0> port 8881 dev tap0 secret key.txt persist-key persist-tun ping-timer-rem ping-restart 60 ping 10 comp-lzo user nobody group nobody shorewall interface: #ZONE INTERFACE BROADCAST OPTIONS net ppp0 - norfc1918,routefilter,tcpflags loc br0 detect tcpflags,dhcp vpn tap+ #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE shorewall zones: #ZONE DISPLAY COMMENTS net Net Internet loc Local Local Networks vpn VPN Remote subnet #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE shorewall tunnels: # TYPE ZONE GATEWAY GATEWAY ZONE openvpn:8881 net 0.0.0.0/0 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE shorewall masq: #INTERFACE SUBNET ADDRESS ppp0 br0 <ip of ppp0> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE shorewall policy: #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT fw net ACCEPT net all DROP info loc vpn ACCEPT vpn loc ACCEPT # THE FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE the nat, hosts, actions, proxyarp and blacklist files are empty. The only problem I can see is in the tunnels file where the gateway is 0.0.0.0/0 but since it''s a road warrior configuration I don''t know which ip to put there. I tried the ip of the firewall internal subnet 192.168.2.254 but it didn''t work. Obviously I''m missing something and need help. Thanks for your support, Laurent
Tom Eastep wrote:> Laurent on Dellus.com wrote: > > >> >> shorewall interface: >> #ZONE INTERFACE BROADCAST OPTIONS >> net ppp0 - norfc1918,routefilter,tcpflags >> loc br0 detect tcpflags,dhcp >> vpn tap+ > > > No! You *never* list bridged interfaces in the /etc/shorewall/interfacesLet me elaborate a bit. In Netfilter/iptables, the input and/or output interfaces may be specified in a rule using the -i and -o parameters respectively (for example, "-i eth0" selects packets that came in on eth0). Interfaces defined in /etc/shorewall/interfaces must be usable with these parameters. This is the reason that "virtual" interfaces (e.g., eth0:0) can''t appear in /etc/shorewall/interfaces. When a network interface is bridged, the device can no longer be specified in the -i and -o parameters because the interface for the traffic is the bridge device (which *can* appear in -i and -o). So when there is a bridge, the bridge device is entered in /etc/shorewall/interfaces but the bridge''s "ports" must be specified using the /etc/shorewall/hosts file using the <bridge>:<port> syntax. Hope this helps, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi Tom, First, thanks again for you really fast reply Second, it''s works like a charm now. I would never have found the solution but thanks to your explanation below I understand better how it works. Hopefully the last time you hear from me. Thanks, Laurent> Tom Eastep wrote: > > Laurent on Dellus.com wrote: > > > > > >> > >> shorewall interface: > >> #ZONE INTERFACE BROADCAST OPTIONS > >> net ppp0 - norfc1918,routefilter,tcpflags > >> loc br0 detect tcpflags,dhcp > >> vpn tap+ > > > > > > No! You *never* list bridged interfaces in the /etc/shorewall/interfaces > > Let me elaborate a bit. > > In Netfilter/iptables, the input and/or output interfaces may be > specified in a rule using the -i and -o parameters respectively (for > example, "-i eth0" selects packets that came in on eth0). Interfaces > defined in /etc/shorewall/interfaces must be usable with these > parameters. This is the reason that "virtual" interfaces (e.g., eth0:0) > can''t appear in /etc/shorewall/interfaces. > > When a network interface is bridged, the device can no longer be > specified in the -i and -o parameters because the interface for the > traffic is the bridge device (which *can* appear in -i and -o). So when > there is a bridge, the bridge device is entered in > /etc/shorewall/interfaces but the bridge''s "ports" must be specified > using the /etc/shorewall/hosts file using the <bridge>:<port> syntax. > > Hope this helps, > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net >